The California Consumer Privacy Act (CCPA) requires that privacy notices be updated annually, and that the detailed disclosures it proscribes be in those notices reflect the 12-month period prior to the effective (posting) date. Interestingly, failure to make annual updates was one of several alleged CCPA violations that resulted in a recent $1.35 Million administrative civil penalty by the California Privacy Protection Agency (CPPA) against retailer Tractor Supply Company. Also, three more state consumer protection laws go into effect on January 1, 2026, which will require notice and consumer rights intake changes, if applicable. Additionally, new and amended CCPA regulations will bring new obligations for businesses starting the first of the year that need to be addressed between now and then. Also recommended is a general checkup with particular attention to enforcement priorities. Here are some things to do in preparation for 2026:
- Assess which of the 20 state consumer privacy laws (CPLs) apply to your business, and update notices and rights request processes to identify which apply and address material differences in what each requires.
- Consider new or modified data practices initiated in 2025, or under consideration to be introduced in 2026, complete risk assessments on them, and update the privacy notice to reflect at least the preceding 12-month period.
- Implement a data processing risk assessment program, or revise the current process to reflect the new CCPA requirements, effective January 1.
- Confirm you have contracts in place containing data protection terms required by CCPA and other CPLs with parties that receive (or access) your personal data – an ongoing California enforcement priority. Have these organized by service provider / processor or third party and be prepared to produce them upon regulatory inquiry.
- Employers, especially in California, need to address use of automated decision-making tools. This will become an even more complex and time urgent matter for California employers if Governor Newsome does not veto SB-7 (the “No Robo-Bosses” Act), which would become effective January 1 and add even further requirements and restrictions on technology-assisted HR decision-making. (Note: An inadequate privacy notice and rights request process for personnel was another basis for the Tractor Supply penalty.)
- Review your tracking technologies and cookie banner(s) and preference tool(s) to support a defense to wiretapping (e.g., CIPA) claims and comply with CPL notice and opt-out requirements, including browser privacy control signals, as explained here.
- If you process personal data of minors, consumer health data, precise location data, biometric data, or other sensitive personal data, consider the legal requirements and limitations that have been evolving in recent years and the growing application of consumer protection law principles to limit unexpected uses.
- Revisit and update your information governance roadmap or project plan and seek budget for 2026 initiatives. This should include:
- Preparing for the Colorado AI Act
- Preparing for California Automated Decision-making Technology rules (and address Colorado and other CPL Profiling rules)
- Preparing for upcoming California cybersecurity audit requirements
- Completing data mapping (required by Minnesota’s CPL and the new California cybersecurity regulations)
Many companies go on website code lock in mid-November, and Q4 is a hectic time between year-end financial closings and the holidays, so give yourself enough time to get revisions to notices, policies, and tools updated and published. Update your information governance roadmap for 2026 to reflect new laws, regulations, and enforcement trends and be sure your budget for next year reflects these needs.